How to implement Hashicorp's Vault with Spring Boot

Question

We have enabled spring profiling for Dev, QA, Prod instances and these are running on AWS EC2.
We have different property files like:
application-dev.properties
application-qa.properties
application-prod.properties

And we have configured our datasource in these file like
spring.datasource.username=test
spring.datasource.password=test

And these credentials are different for each instance and are configured in their respective property files.

I have gone through the link:
https://www.baeldung.com/spring-cloud-vault
to implement Vault with Spring Boot. But, I am not getting it fully like they have mentioned about bootstrap.yml file but we can place credentials for only one instance there.

Can anyone please help me out with how to implement Vault along with Sprint Profiling where we have multiple properties files.
And how to fetch the database credentials using Java code from the Vault ?

The best pattern is to not have your app Vault aware at all. Instead, have your deployment mechanism retrieve the secrets and inject them into your app (using one or more template files, or the environment). This is quite well researched in K8S, and even works in PCF. Allowing your app to know about Vault is a last resort (unless your app is specifically a secrets management application). — Software Engineer, Oct 02 '19 at 19:28

score 0 · Answer 1 · answered Oct 31 '19 at 14:55

I believe your apps are integrated with Spring Config server, for reference check this. The blog which you are referring to is talking about dynamic credentials generation which is a bit complex solution. So, for now, you follow the below-mentioned procedure and modify it accordingly later.

If spring config server is enabled, bootstrap.yaml(check this for diff in bootstrap file and application.properties ) which is at src/main/resources/bootstrap.yml looks something like this:

spring:
  cloud:
    config:
      uri: CONFIG-SERVER-URL
      username: USERNAME
      password: PASSWORD
    vault:
      uri: VAULT_URI
      authentication: token
      token: VAULT_TOKEN
  application:
    name: demo-application

As the application reads the configuration from the spring-config server based on the profile/environment.

demo-application-dev.yml
demo-application-tst.yml
demo-application-prod.yml

In a similar way, secrets configured in Vault will be read by the application based on the profile.

So each profile should be configured with respective secrets in it. Hence your dev config in Vault should look something like this:

spring.datasource.username=dev
spring.datasource.password=dev

and for other environments like demo/prod, configure differently:

spring.datasource.username=demo
spring.datasource.password=demo

NOTE: Make sure the app name configured in bootstrap.yaml should match with filenames in spring config server, like demo-application-dev.yml, and also in Vault in Vault secret file name, secrets/secret/demo-application/dev

Vault Configuration

add a dependency in your pom.xml file

<dependency>
                     <groupId>org.springframework.cloud</groupId>
                     <artifactId>spring-cloud-starter-vault-config</artifactId>
                     <version>1.1.0.RELEASE</version>
         </dependency>

How to implement Hashicorp's Vault with Spring Boot

1 Answers1